What is Phishing and Spoofing

Protecting Yourself from Phishing and Spoofing Attacks

Identity thieves try to obtain your personal information through scams called phishing (pronounced fishing) and spoofing. Both scams involve fraudsters pretending to be an organization such as your bank or retailer and using a fake email (phishing) or a fake web page (spoofing) to trick you into providing your username, passphrase or personal information.

What is Spear Phishing?

Top Tip – Spear phishing refers to highly targeted phishing attempts where, for example, the fake emails are specifically addressed to you and therefore seem all the more legitimate. Sometimes phishing and spoofing scams are easily spotted, but other times it is almost impossible to tell the difference between fake and legitimate solicitations.

Phishing messages will often include part of a legitimate website’s name in the link they want you to click on (such as, http://cogipas.example.com/) so take a close second look. To make matters worse, the URL you see in an HTML-based email message or on a web page is not necessarily the true destination of the link.

How to Protect Yourself

First, hover over links without selecting them to see what address is displayed. Make sure that the true link looks valid before you select it or, better yet, type URLs directly into your web browser.

Manually typing in the address of the website you want to visit in your browser ensures that even if you receive a phishing message and react to it, you’ll always end up at the real website, so no damage will be done.

Also look out for the tone of the message. Many phishing messages attempt to scare you into accessing your account immediately, so that you won’t take the time to notice the spoofed site you were sent to is a fake. They’ll often threaten to deactivate your account, suggest you've got a large unexpected bill to pay, or say your account has been hacked.

Enable Email Phishing Filters

Many web browsers, email apps and webmail services offer phishing filters. These work similar to spam filters in preventing phishing messages from reaching your inbox. Although the filters are not foolproof, they are yet one more layer of protection in your lines of defense, so use them.

Note in particular, that banks do not include any links in their messages to you. Instead, their messages will ask you to use your browser and type in the domain name, which you can check on your bank statement or any official paperwork from the bank.

* * *

You should use the same technique of typing website addresses directly into your browser rather than selecting links even if a friend or other trusted source sends you a link to a website you know. The email may have come from a trusted source, but perhaps they have fallen victim to malware or were hacked. It’s always better to be safe than sorry.

Otherwise, you may not notice that the link is to www.c0gipas.com or to cogipas.example.com (rather than to www.cogipas.com) and that you are falling for a fake, spoofed site. To make sure you are dealing with a legitimate website, pay close attention to the website address displayed in your web browser’s address bar.

What to Do if You Get Phished In

If you do fall for a phishing message and provide your details to a spoofed website, go to the legitimate site and change your passphrase immediately. If the hackers beat you to it, he or she could lock you out of your own account, hijack it and perhaps attempting to breach your other accounts with the information they now have available.

If your account is hijacked and you are locked out it, reclaiming it can be very difficult. You can’t just solve it with an email to the site’s helpdesk saying your account was hijacked and you want it back. If it were that easy, this is a technique that the hackers would use to seize control of your account in the first place.

To help ensure that others do not fall for the same phishing attack, you could also report the incident to the Anti-Phishing Working Group (APWG) at http://www.antiphishing.org/. There may be no immediate personal benefit in reporting a phishing attempt, but it will help in the overall fight to reduce the number of people getting swindled.

If you do become a victim of outright identity theft, you should also report the matter to the FTC at https://www.ftccomplaintassistant.gov/. While the FTC will not resolve your individual consumer complaints, they will use the information to help in the pursuit of prosecutions and investigations as well as to detect patterns of unlawful activity.

As you can probably detect, you may have a long, hard, lonely slog to reverse the damage caused by the identity thieves. This is why prevention is so important.